1 



PROGRAM PROTECTION NEWSLETTER 

A. K. A. 

THE PHANTOMS NEWSLETTER 
AUGUST.170 4 


ft fry- 


WHAT IS A PROGRAM PROTECTION NEWSLETTER? 

It is a monthly newsletter that will deal with program protection 
schemes of all types. Each month will cover 3 to 5 specific 
examples of different program protection schemes. Some will be 
very easy schemes, others may be very difficult. Some issues will 
cover word processors, data bases, spread sheets and games. Many 
different programs will be selected and each will be fully 
explained as to their type of protection. 

Each program example used will be for illustrative purposes only. 
It is not the intention of this newsletter to promqte or encourage 
illegal or unauthorized duplication of any copyrighted program. 

WHY WOULD ANYBODY NEED A PROGRAM PROTECTION NEWSLETTER?* 

Many programs have a very sophisticated protection scheme and can 
not be used on jsome disk drives (MSD, 4040, 8050 etc.). Other 
programs use errors on the disk that can be very harmful to the 
disk drive. Many other people just prefer to use one disk for all 
their programs of one specific type (i.e. utilities). 

You are allowed to make an ARCHIVAL copy of any program that you 
have purchased. Some protection schemes do not allow the program 
to be directly backed up. They may require the use of 
sophisticated copy programs or extensive knowledge of MACHINE 
LANGUAGE to understand. In either case the average user may not be 
ablB to obtain an archival copy of his valued programs. 

Another group of people just want to know more about their 
computer and its associated components. They want to know how 
programs are protected and how their machine operates. They want 
to know how to modify their own disks and how to protect their own 
programs. 

What ever reason you have for wanting to learn about program 
protection this newsletter is for you! 


PASS THIS COUPON ON TO YOUR FRIENDS WHO WISH TO LEARN MORE ABOUT 
PROGRAM PROTECTION SCHEMES. 


SUBSCRIPTION PRICE *35.00 POST PAID IN U.S. ($40.00 FOREIGN) 

NAME. 

ADDRESS . 

CITY,STATE,ZIP. 


SEND TOt 

C. S. M. ROFTWARF 


< 










* 



of »y of the 
Ihu di- k nd .a simple 


The program is REVERSAL, COPYRIGHT 19B3 DY HAYDEN BOOK COMPANY,INC 


TYPE OF PROTECTION: The main program is stored on the disk in a program 
file and is written in ML (you can tell that it is written in ML by the 
speed of operation). This program is loaded into memory by a loader program 
that checks far the proper errors an the disk and executes the main program 
if the proper errors are found. The loader program is written in basic. 

HOW TO COPY: Simply copy the disk with any good copy program and place the 
errors on the disk at the proper location. Or use one of the newer nibble 
copy programs and let it put the errors on for you. 

HOW TO MAKE A WORKING COPY WITH OUT ANY ERRORS ON THE DISK. 

The technique used here is similar to the techniques described on pages 14 
- 10 of the Program Protection Manual. 

1) Copy the original disk with BACKUP 228 or any other good copy program 
that does not place any errors on the destination disk. 

2) Load and list the loader program. You can’t do it can you? The program 
has a graphics character at the end of line 10 (see page 15 of the Program 
Protection Manual). To remove the graphics character all you have to do is 
to move the cursor up to line 10 and press RETURN. 

3) List the 1oader program. Here is the entire program protection schema! 

Look for and find the comparisons (IF E <> 23 THEN and IF E <> 27 THEN). 

4) Change the value of the comparisons to 00. Be careful not to lengthen 

or shorten the code. (Some programs not only.check for bad blocks, they 

also check the length of the loader program). When you copied the disk the 

errors were not placed on the destination disk. Now, when the error channel 
is read the message 00,OK,00,00 will be returned from the disk drive. This 
indicates that there was not any error on the disk. 

5) Save the code back to the copy disk. Use the save with replace option 
or scratch the file from the disk then save the modified version. 


6 ) 


YOU'RE DONE. 




' ... (.oriri jji ijyr • m u-.'Ktt a ) iU.lt? different type of ptolii.tion r(utine. Hu s 
j the pr ogr..m i o written in basi c and the loader is written in ML. The 
,.r • jr < i*n uses err nr's on the disk. 

I he* program is TRIVIA, COPYRIGHT 1983 BY CYMBAL SOFTWARE INC. 

TYPE OF PROTECTIONi The main program is stored on the disk in user filc?s. 
The loader routine will load the user files into memory and store the files 
at the proper memory location in the computer. The loader program will also 
check for an error on the disk. If the proper error is found the program 
will execute. 

HOW TO COPY: Use any good copy program and place the errors on the proper 
track and sector. You may also use one of the newer nibble copy programs to 
copy the disk and place the errors on the disk for you. 

HOW TO MAKE A WORKING COPY WITHOUT ANY ERRORS ON THE DISK. 

The techniques used on this program are described in pages 45 - 50 of the 
Program Protection Manual. You will be able to apply the information 
contained here on m^ny different programs. 

1. Copy the origninal disk with BACKUP 22G or any good copy program that 

will not place any errors on the destination disk. 

2. Load and run the original disk. As the program executes you will find 

that the promts react extremly slow. When you press a key it seems to take 

forever for the program to respond. This is a very good indication of a 
program that ia written in DASICi slow reuponc# time. Compare the reuponce 
time needed for this program to you favorite arcade type game. Extreamly 
slow programs will be written in BASIC. 

3. With the program in memory, RESET your computer (page 45 of P.P.M.). 
Load and execute the program called RESTORE from your disk. Now list the 
program. You have just captured the whole program in memory. 

4. Save the program out to a newly formatted disk (not the copy disk). 

The copy disk was only an insurance policy, always make a copy of every 
disk prior to doing anything. 

5. Repeat the same procedure on the other modules of the program. You may 
now save all four parts of the program out on one disk. 


6 . 


YOU'RE DONE 



!!,i. ! 

bird , 

j> . jr< in to be 

m J r u d i. ! i i t ,> 

< U r.t 

.t of 

us by now. The 

program has an 

1 l 

t heck 

for an error an 

the disk prior 

The ! 
INC. 

,r tj'jr.-' 

n is BC’S QUEST 

FOR TIRES (tin) , 


; !i uti' u a Vila ... !. t io liut 

r.uto start loader program that 
to c?xecuting the* main program. 

COPYRIGHT 1983 DY SI ERA ON LINE 


TYPE OF PROTECTION: The auto start routine -first blanks the screen so that 
no characters may be seen. Then it loads a user file from the disk in^o rhe 
screen memory. The program then jumps to the memory contained at the screon 
location ($0400). This code will perform the necessary error chocks (bad 
blocks) and then loads the main program from the disk. The main program is 
stored on the disk in user files and must be loaded back into memory in the 
proper order and at the proper location. If the proper error is present 
then the program will execute. 


HOW TO COPY: Use any good copy program to copy the disk and place the 
appropriate errors .on the copy disk. One of the newer nibble copy programs 
may also be used to make a working copy. 


HOW TO MAKE A WORKING COPY WITH OUT ANY ERRORS ON THE DISK. 

* n 

The technique used here is similar to that illustrated in pages _»0 — 60 of 
the Program Protection Manual. We will also use one of the special 
utilities from the disk called U1 & U2. 


1. Copy the disk with any good copy program that does not place any 
errors on the copy disk. The copy program must copy all the data from the 
disk (remember that user -files may be placed any where on the disk) • 

2. Disassemble the loader program using U1 & U2 (from track 17, sector 
0). This program loads a user file from the disk and stores the code at 
$0400. To find out what block of memory will be loaded, use the 'I' command 
of your ML monitor. You will find the following ASCII code 2 01 0 2:1U. Try 
reversing the order of the code to find out the proper block (Uli2 0 IB 2), 
track 18 sector 2. 


3. Disassemble the USER file (track 18, sector 2) using U1 & U2. Comment 
the code (see pages 52 — 56 of PPM). Starting at the 10th line of code you 
will find the program opens a file for input (JSR *FFC6), inputs a 
character (JSR *FF‘CF) and then compares this character to the hex value of 
$32 (CMP #*32). 


4. The code has enough components of a program protection scheme (see 
chapter 9) to qualify as one. In order to ’fix' this program from beating 
your disk drive to death, one only has to change the comparison from 
CMP #*32 to CMP #*30. Save the USER file back to the copy disk. 


YOU’RE DONE. 




•■'•r bO YOU iHJNK OK A COPY PROGRAM THAT Will. NOT COPY IT ‘ i i I? 

I'very time that you buy .a copy program, is it necessary buy another copy 
program to copy the first one? 

I always thought that a copy program should copy everything on the market 
(including it self). 

There is a new technique that is being used by some programmers to test how 
many copies of a program have been made. This involves the use of a master 
disk and copy disk(s). The master, in its original form, is useless. It may 
only be used to make working copies. Many times, due to exotic protection 
schemes, the copy disks do not work. Now you have a master disk that is not 
useable and a copy disk that does not work! 

The way that the program keeps track of how many copies that you have made 
is by writing data on the master disk during the copy process. Therefore, 
if the write protect- notch is covered on the master disk the-copy program 
will be aborted. 

The proper way to make your working copy disk is to follow the instructions 
included with the master disk exactly. Use this technique to'make the FIRST 
working copy (most programs using this technique allow the user to make 2 
or more copies). If everything works well you may continue making your user 
copies as specified by the instructions. Every time that you make a copy 
of the master disk it will update it self even if the copy disk does not 
work. 

If the user copy, made the normal way, does not work you may have success 
using a different technique. Use this technique only if the manufacturers 
instructions do not work as specified. Use this procedure at your own risk. 

1. Cover the write protect notch on the master disk. 

2:. Type in the appropriate command to begin the copy process (i.e. 

LOAD "COPY'’,8,i). Leave the cursor flashing on the same line. DO NOT insert 
the master disk at this time. 

3. Get your master disk ready to insert. Press RETURN. Wait 1 -2 seconds 
then insert your master disk. The disk drive only checks the write protect 
notch during the first few moments of the operation. So, if you wait a 
moment or two before inserting your master the disk drive will 'think' that 
the disk is not write protected. It will be necessary to remove (and 
re -insert) the master disk EVERY TIME that the program requires a user 
prompt (or input). Wait a moment or two after you press the proper key 
before inserting the master disk. 

1. Check the copy disk to verify that the program performs as specified. 
Remembers only try this technique if the copy made from the master disk was 
unsuitable. Using this technique the master disk will not be updated when 
copies are made. If you gist a bad copy disk you will still have the ability 
to try again. 

5. You are only authorized to make one working copy and an archival copy 
by Federal Copyright laws. You may only make more copies if authorized by 
the copyright holder (in writing). 





tiuVi-'.i < ;_o • r.hi i ' hm-ls 

This chapter is from the 2nd edition of the P.P.M. 

Pertain tools are nectHBary -for the breaking of a t fridges. Some 
of these were described in chapter 12 on cartridge protection. In 
this chapter we wi11 expand upon what wau mentioned in chapter 
12. We will also introduce some new tools of interest to those 
who wish to investigate cartridge®. 

Hopefully you have either installed the switch describ(d in 
chapter 12 or purchased a mother board. (Cardco distribute* 5 
slot expansion boards which have a nice built-in reset switch. 
These can be purchased for under $60. Check at your dealer or 
contact us at CBM if you are interested in purchasing ons of 
these devices. > 

In chapter 12 we discussed the fundamentals of making cartridge 
back-ups. Briefly: 1. Load your HIMON. 2. Switch out the 
cartridge. 3. Place the cartridge into the game slgt. 4. Switch 
in the cartridge. 5. Transfer the memory from 8000 to A000 to 
disk <8k>. 

Many cartridges can be backed up in this fashion. However , many 
cartridges now have some form of protection through which they 
cause your RAM copy to "self-destruct". The details of these 
copy—protection schemes were discussed in chapter 12. You may 
have attempted to copy one of your cartridges and found that your 
computer was locked up merely by switching in the cartridge! You 
were unable to gain control of the computer. All attempts to get 
control resulted :i n either the cartridge getting control, or the 
system being locked up. 

The reason for this strange behavior has to do with the way in 
which the computer is told to configure its memory. The various 
memory configurations are detailed on pp. 260-267 of the 
Progr arnmer ’ s Reference Guide. There are two important pins on the 
expansion (game) port: pin 8 which is called GAME and pin 9 which 
is called EXR0M. The voltages applied to these pins have a lot to 
do with the memory configuration the computer adopts. In its 
normal state the GAME and EXRGM are high (5 volts). However, when 
a cartridge is in the slot, it may ground either one or both of 
these pins. On power—up or reset the computer checks the voltages 
on these pins. If one or both or them are low (grounded), the 
computer configures its memory differently. 

Memory locations £0000 and £0001 also play a role in what memory 
configuration the computer adopts. As was mentioned earlier, when 
bit zero of address £0001 (L0RAM) is set low, BASIC is switched 
out. You can change address $0001 from your ML monitor. You will 
probably find that 01 contains $37. Try changing it to $36 from 
your ML monitor. You have switched out BASIC! Now try exiting (X) 
your monitor. You will find that the computer is locked up. This 
is due to the fact that you tried to exit to BASIC and BASIC 
isn’t there! Remember, you switched it out. If you changed 
address $0001 to $35 you would switch both BASIC and the KERNAL 
rom out. This will immediately crash the system if your monitor 
makes any calls to the KERNAL. If you want to have some fun, you 


, l( i.r u-ft-.r (T in the monitor) memory from AOOO to i' l .J into 
H000. fills q i vc.'S you a RAM copy of BASIC. Now you can •. <11» h out 
nr.sic ROM and exit your monitor without causing a system crath. 
Y<>u r (» in your RAM copy of BASIC. Now, if you wish, you nr y 
r i.tui n to the ML monitor and -crtually modify the BASIC 
interpreter. If you know win at. you are doing you can create new 
EtASIC commands. Similarly, you can transfer a copy of the KERNAL 
into RAM and switch out the KERNAL rom. You can now modify the 
liernal ! Remember, if you make changes things are going to be 
different. You can easily make changes which will crash the 
system. However, the clever programmer could improve both BASIC 
and the KERNAL. You might (with the help of a tool described 
below) be able to re-write the KERNAL in such a way that it would 
not initialize th memory from $0000—$0800 upon a reset. This 
would allow you to "capture" more of^ a program that you were 
examining. Remember, normally zero page is initialii zed on reset. 
This destroys any values which a program may have placed there. 
Those values may be essential to the proper running of the 
program. Their absence may cause the program to crash when you 
try to run it. 

Thus the values of L0RAM and HIRAM (bits 0 and 1 of address 
$0001) also have much to do with the way the computer "sees" its 
memory. In its normal configuration L0RAM, HIRAM, GAME and EXROM 
are all set high. Some cartridges set EXROM low while leaving the 
others high. This forces the computer to adopt a different memory 
configuration. In this case, the 16 K from 0000 to BFFF is 
occupied by the external cartridge ROM (or RAM). Cartridges which 
configure memory in this fashion do not cause the computer to 
lock up when you try to examine them. There are, however, other 
options. 

Some cartridges set GAME low (by grounding pin 8) and leave EXROM 
high. In this case the computer "sees" the cartridge in the Q K 
block from EOOO to FFFF. Yes, this eliminates the KERNAL! There 
is no problem in doing this as long as no calls are made to the 
KERNAL. Obviously cartridges which locate themselves here don't 
make KERNAL calls. They have built-in routines to accomplish what 
the KERNAL would have accomplished. Furthermore, many important 
system vectors are contained at the high end of memory. The 
cartridge ROM has its own set of vectors at these locations and 
can thus get control upon reset or power—up since the system must 
vector to where the cartridge tells it to go. (Notei This system 
causes an auto-start to occur without the use of the CBM80 spoken 
of earlier. In fact, it cannot use the CBM80 since those 
characters must appear at $8004-$8008 and in this configuration 
the cartridge ROM appears at $E000 to $FFFF.) 

How then do we get a RAM copy of such a cartridge? This question 
has at least two good answers: 1) Physically change the cartridge 
board so that pin 8 (GAME) is not grounded and that pin 9 (EXROM) 
is grounded. This really isn't difficult. You must "break open" 
the cartridge housing and carefully examine the structure of the 
board. Pins 1 and Z are both system ground. One of these may be 
directly connected to pin 8. If you sever this connection, pin S 
will remain high. Now be sure that pin 9 is grounded. Try 
examining the cartridge now. You may be able to "see" the program 



■ i i ding • t O with , : r ne ) i- 1 • 

P ir.bt-.-r that LI - . <3 data uintaim d on l he cartridge dees not know 
• li. ii? j t j fi suppos* d to rcsiitle in me r.iory. The way t! e pins are 
<< .figured do ter mi n« -s where the data will reside in the computers 
• mory. If you can disasst mb] e it you should transfer a copy to 
your dick. It tnay be that this method fails, to work. In that 

case you may want to add another tool to your tool kit (see 
beJ ow) . 

We aren’t done yet! Remember, this program expects to be located 
at SEOOO to $FFFF. You may want to change the pointers in the 
proqram file (on the disk) to cause it to load to that location 
(Use Clone or Disk Dr.) or you will have to write a ML 1oader 
routine (see below) that will relocate the program to $E000 and 
JMP to the entry point. 

You will now have to examine the vector at $FFFC (and $FFFd). 
This is the system reset vector. The computer is going to jump to 
the location specified by thi_s vector upon reset (or power up). 
This will be the entry point into the cartridge or to your RAM 
copy! Write dowh the entry point for future reference. .All that 
remains is to write a short ML loader program which will 1) Load 
the copy to $E000. 2) Switch out the KERNAL rom (put a #34 at 
#0001). 3) Jump to the entry point you wrote down earlier. This 
may be all that has; to be done. However, if cartridge protection 
(as described in chaper 12) is present, you will have to locate 
it and remove it. 

Above it was mentioned that there were at least two good methods 
for investigating these "strange" types of cartridges. The second 
method involves the use of an EPROM programmer. We have found 
that the PROMENADE by Jason-Ranheim is an excellent device and 
well worth the small invc?stment (CSM is an authorized dealer). 
With this device and the accompanying software you can not only 
examine cartridge ROMs but you can make exact copies of them on 
an EPROM (Erasable Programmable Read Only Memory chip). You can 
then plug the copy onto another board and 'voila-a’ perfect 
working copy! The PROMENADE can also be used to examine a 
cartridge ROM. You must remove it from its board and drop it in 
the PROMENADE. Then, with one simple command, you can dump the 
program on the cartridge into memory and examine it with your ML 
monitor. If you are willing to invest a few dollars, you can buy 
a "Proto-Clip" which allows you to clip directly onto the ROM 
chip without removing it from the board. If you wire the other 
end of the clip to a 20 pin socket you can drop the socket into 
the PROMENADE, clip onto the cartridge ROM and examine it, 
down-load it etc. 

The PROMENADE allows you to put your own routines or utilities on 
a cartridge. If you are tired of loading the DOS wedge or 
whatever, you can now "burn" these programs into your own EPROM 
and have them auto-load upon power up or reset. Jason-Ranheim 
manufactures two different bank switch boards. One holds up to 4 
EPROMS (max. 128k), the other holds up to G such EPROMS (max 
256k). You can select any one of the EPROMS and address an 8K 
block of memory in it. This gives you access to up to 12SK with 
the 4 slot board or 256K with the 0 slot board! Remember, you 




will be loading from El’ROMS with extrt m<Jy -fast a: n s t.iYou 
ran burn a.) 1 your -frequently uss.-d utilities into I i in.liS, 
■■.electing any one using one POKE and one SYS. You are also 
provided with a routine through which you can burn BASIC progrims 
onto the EPROMS and have them auto-load. Using the Cardco 5 slot 
expander with -five of the 256K boards you could have up to one 
and a quarter megabytes of programs at your -fingertips!!! Think 
of the possibilities. 1.25 megabytes with virtull.y instant access 
t i me. 

A final word to the adventureuomei Abacus software publishes two 
excellent books: The Anatomy of the C-64 and The Anatomy of the 
1541 Disk Drive. The former contains fully commented assembly 
language listings of the BASIC and KERNAL roins. These will prove 
very useful if you decide to get creative and modify one or both 
of these programs. The disk drive book contains an excellent 
commented assembly language listing of the DOS in your disk 
drive. If you spend the time to familiarize yourself with the 
workings of the DOS you will realize that there are many 
parameters which could be changed in order to < causip strange 
things to happen during formatting or during error checking or 
whenever. Unfortunately the disk drive only contains* 2K of RAM 
memory and thus you cannot make a RAM copy of the operating 
system (like you can do with BASIC and the KERNAL) and modify it. 
There is hope for the creative however. 

In most disk drives the DOS chips are reinoveable. If you have an 
EPROM burner (like the PROMENADE described above) you can remove 
the DOS chip from your disk drive, drop it in the PROMENADE and 
Load a copy of the DOS into the memory of the C-64. Once the DOS 
is in memory you can disassemble it using your ML monitor. You 
will find it to match the listing in the Anatomy of the 1541. The 
point here is that the RAM copy can be modified using your ML 
monitor. This modified version can be burned into an EPROM and 
this EPROM can be placed back into your drive. You are now 
running under your own DOS!! We currently have disk drives 
capable of reading and writing 41 tracks!! Clever changes may 
allow you to create extra tracks, half-tracks, turn off error 
checking etc. You could theoretical1y re-write the DOS totally 
and sell your version to other 1541 owners. Perhaps less error 
checking would make the drive run substantially faster. 

If you use your imagination you will come up with many ideas 
which are relevant for copying cartridges and for the breaking of 
some of the more sophisticated copy protection schemes being used 
now to protect programs. 

The game goes on. It will always go on. The programmers will 
devise better protection schemes. The pirates will break those 
schemes. New schemes will be devised and so on. There are 
presently dozens of programs which claim to be able to copy a 
large number of protected programs. Some of them are quite good. 
You may have purchased a number of them already. Keep in mind 
that all those programs will become obsolete quickly. New 
protection schemes will be developed which defeat all of them. 
You have two choices: You can continue to purchase copy programs 
as they are improved. Qr you can keep up with devel opments in 
protection methods and break the latest generation of protected 
nrnnr.amfi fvnn Ho hnf 




ERROR 29 ID MISMATCH MAKER 


\ 


: oo oplni 5,s, is,"ioa" 

110 INPUT "TRACK 4i ; T 
120 INPUT "ASCII FOR CHAR 1";I 
130 INPUT "ASCII FOR CHAR 2"|D 
140 ID$=CHR* <I)+CHR*(D) 

150 0PEN5,8,5,"#" :PRINT#15,"U1";5;0;T;0:CLOSES 

160 PRINT# 15, "M-W" ; CHR* (0)CHR* ( 6 ) CHR* (3) CHR* (76)CHR* (199) CHR* (.250) 
170 PR I NT# 15, " M-W " ; CHR* 031) CHR* (0) CHR* < 1) CHR* (T) 

ISO PRINT#15,"M-W";CHR*(IS)CHR*<0>CHR*(2)ID* 

190 PR INT# 1 5,"M-W "5 CHR*(3)CHR*(0)CHR*(1)CHR*(200) 

200 F0RT=0T03000iNEXT 

210 PRINT# 15, "IJ 5 PRINT# 15, "I0» " 

220 CLOSE 15 

READY. 

This routine will format one track of the disk with the new ID. 
You must use a different ID on the track to be formatted. When 
the program runs the ID of each track and sector is read into 
memory and compared with the ID of track 18, sector 0. If they 
match everything is OK. If not, there is an ID mismatch, error 29 
generated. 


